php.lang.security.redirect-to-request-uri.redirect-to-request-uri

rules:
  - id: redirect-to-request-uri
    patterns:
      - pattern-either:
          - pattern: |
              header('$LOCATION' . $_SERVER['REQUEST_URI']);
          - pattern: |
              header('$LOCATION' . $_SERVER['REQUEST_URI'] . $MORE);
      - metavariable-regex:
          metavariable: $LOCATION
          regex: ^(?i)location:\s*$
    message: Redirecting to the current request URL may redirect to another domain,
      if the current path starts with two slashes.  E.g. in
      https://www.example.com//attacker.com, the value of REQUEST_URI is
      //attacker.com, and redirecting to it will redirect to that domain.
    metadata:
      references:
        - https://www.php.net/manual/en/reserved.variables.server.php
        - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
      category: security
      technology:
        - php
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      likelihood: MEDIUM
      impact: LOW
      confidence: MEDIUM
      subcategory:
        - vuln
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: WARNING